Bug#317642: [Logcheck-devel] Bug#317642: How to debug logcheck?
maximilian attems
debian at sternwelten.at
Mon Jul 11 11:55:44 UTC 2005
On Sun, 10 Jul 2005, Rainer Zocholl wrote:
> Hello
>
> i change the rules but logcheck seems to ignore them
>
> One example:
>
> REPORTLEVEL="server"
>
> logcheck send mails containing:
>
> Security Events
> =-=-=-=-=-=-=-=
> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
>
>
> i don't want to see those messages (currently)
>
> So i added a new rule to ipopd-ssl
>
> [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH *
> ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
> logcheck.dpkg-old:authsrv.*AUTHENTICATE
>
> (BTW: Wouldn't it be better to add an entire new file?)
yes add your local-packagename file.
> If i test the rule file with that:
>
> /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog
>
> i exactly get the lines i don't want to see in logcheck output,
> so i assume that rule is OK.
>
> As there is the "magical" word "failure" i have to add that rule to
> violations.ignore too, or?
>
> [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]
>
>
> /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
> gves
> Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure
> host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
>
>
> So i assume the rules are right, or?
i wouldn't recommend aboves rule for upstream inclusion,
but they look right.
> But why are they ignored by logcheck?
did you check the permissions of the file you added/changed.
ls -l /etc/logcheck/ignore.d.server/ssh
-rw-r----- 1 root logcheck 1165 2005-04-03 01:00 /etc/logcheck/ignore.d.server/ssh
maybe your umask is too restrictive and aboves file can't be read
by logcheck? please post the output of
ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3
> I meanwhile have the feeling that logcheck is using entire
> other rule files than i edit (box root kitted?)
> Is there a way to debug logcheck?
> "-d" seems to give only a hints to program flow but
> seems to be only a "one shot" so i can't debug the rules effective.
would be cool to see if aboves rule is mentioned in the debug hints.
did you check?
> Isn't there somewhere a tool (bayes?) where i can feed the
> "unwanted" lines to which in future are ignored by logcheck?
> (Like "tiger" does which only reports changes/new lines)
> Currently the "optimization" of the rule set took several weeks(!)
> as i have to wait hours to veryfy the trivialest change.
why? just invoke it from the commandline.
if you have sudo installed
sudo -u logcheck logcheck [options]
for example
sudo -u logcheck logcheck -t -o -d
else if you don't have sudo installed
su -s /bin/bash -c \"/usr/sbin/logcheck [options]\" logcheck
> What's the intended way to debug rules sets?
>
> Why does the "egrep" trick can't be used to verify the rules?
> (What is logcheck adding to the rules to make them fail?)
>
> How can i verify which rules files logcheck really uses?
run debug.
> Where are the used rules (files that contens) logged?
not atm.
> How can i run "logcheck" repetely to debug?
see aboves.
i will add some examples to current manpage.
--
maks
More information about the Logcheck-devel
mailing list